CVE-2026-22794

CRITICAL

Appsmith < 1.93 - Origin Validation Error in Email Link Generation

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-22794. PoCs published by MalikHamza7, exploitChains, XZ1r0.

AI-analyzed exploit summary This repository contains a functional PoC exploit for CVE-2026-22794, which leverages Origin header injection in Appsmith to hijack password reset tokens and achieve full account takeover. The exploit includes both client-side attack execution and server-side token capture capabilities.

Description

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93.

Exploits (3)

nomisec WORKING POC 7 stars

by MalikHamza7 · poc

https://github.com/MalikHamza7/CVE-2026-22794-POC

View Code ZIP pw:eip

This repository contains a functional PoC exploit for CVE-2026-22794, which leverages Origin header injection in Appsmith to hijack password reset tokens and achieve full account takeover. The exploit includes both client-side attack execution and server-side token capture capabilities.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Appsmith (versions prior to patch)

No auth needed

Prerequisites: Victim's email address · Network access to target Appsmith instance · Victim interaction (clicking malicious link)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github SUSPICIOUS 2 stars

by exploitChains · pythonpoc

https://github.com/exploitChains/poc-collection/tree/main/CVE-2026-22794

View Code ZIP pw:eip

The repository contains only a README with a link to an advisory and no actual exploit code or technical details. It appears to be a placeholder or lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Appsmith (version unspecified)

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/windows/CVE-2026-22794-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-22794, demonstrating password reset token hijacking via Origin header manipulation in Appsmith. The exploit includes a Python script to send malicious reset requests and a Nuclei template for vulnerability detection.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Appsmith (versions prior to patch)

No auth needed

Prerequisites: victim's email address · attacker-controlled server to capture tokens

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 21, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv

Patch x_refsource_misc

https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633

View Patch ZIP pw:eip

Scores

CVSS v3 9.6

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-346

Status published

Products (1)

appsmith/appsmith < 1.93

Published Jan 12, 2026

Tracked Since Feb 18, 2026